MA/CSSE 473 Day 10 Primality Testing

MA/CSSE 473 Day 10 In-class exam: Friday, Sept 28 –You may bring a two-sided 8.5x11 inch piece of paper containing anything that you can read unaided or with normal eyeglasses. Student Questions Primality Testing, Carmichael numbers

Easy Primality Test? Is N prime? Pick some a with 1 < a < N Is a N-1  1 (mod N)? If so, N is prime; if not, N is composite Nice try, but… –Fermat's Little Theorem is not an "if and only if" condition. –It doesn't say what happens when N is not prime. –N may not be prime, but we might just happen to pick an a for which a N-1  1 (mod N) –Example: 341 is not prime (it is 11∙31), but  1 (mod 341) Definition: We say that a number a passes the Fermat test if a N-1  1 (mod N) We can hope that if N is composite, then many values of a will fail the test It turns out that this hope is well-founded If any integer that is relatively prime to N fails the test, then at least half of the numbers a such that 1 ≤ a < N also fail it. "composite" means "not prime"

How many "false positives"? If N is composite, and we randomly pick an a such that 1 ≤ a < N, and gcd(a, N) = 1, how likely is it that a N-1 is  1 (mod n)? If a N-1  1 (mod n) for some a that is relatively prime to N, then this must also be true for at least half of the choices of a < N. –Let b be some number (if any exist) that passes the Fermat test, i.e. b N-1  1 (mod N). –Then the number a∙b fails the test: (ab) N-1  a N-1 b N-1  a N-1 (mod N), which is not congruent to 1 mod N. –Diagram on whiteboard. –For a fixed a, f: b  ab is a one-to-one function on the set of b's that pass the Fermat test, –so there are at least as many numbers that fail the Fermat test as pass it. Q1

Carmichael Numbers A Carmichael N number is a composite number that passes the Fermat test for all a with 0< a<N and gcd(a, N)=1. –The smallest Carmichael number is 561 –We'll see later how to deal with these –How rare are they? Let C(X) = number of Carmichael numbers that are less than X. –For now, we pretend that we live in a Carmichael-free world Q2

Where are we now? For a moment, we pretend that Carmichael numbers do not exist. If N is prime, a N-1  1 (mod N) for all 0 < a < N If N is not prime, then a N-1  1 (mod N) for at most half of the values of a<N. Pr(a N-1  1 (mod N) if N is prime) = 1 Pr(a N-1  1 (mod N) if N is composite) ≤ ½ How to reduce the likelihood of error?

The algorithm (modified) To test N for primality –Pick positive integers a 1, a 2, …, a k < N at random –For each a i, check for a i N-1  1 (mod N) Use the Miller-Rabin approach, (next slides) so that Carmichael numbers are unlikely to thwart us. If a i N-1 is not congruent to 1 (mod N), or Miller-Rabin test produces a non-trivial square root of 1 (mod N) –return false –return true Note that this algorithm may produce a “false prime”, but the probability is very low if k is large enough. Q3

Miller-Rabin test A Carmichael number N is a composite number that passes the Fermat test for all a with 1 ≤ a<N and gcd(a, N)=1. A way around the problem (Rabin and Miller): Note that for some t and u (u is odd), N-1 = 2 t u. As before, compute a N-1 (mod N), but do it this way: –Calculate a u (mod N), then repeatedly square, to get the sequence a u (mod N), a 2u (mod N), …, a 2 t u (mod N)  a N-1 (mod N) Suppose that at some point, a 2 i u  1 (mod N), but a 2 i-1 u is not congruent to 1 or to N-1 (mod N) –then we have found a nontrivial square root of 1 (mod N). –We will show that if 1 has a nontrivial square root (mod N), then N cannot be prime. Q4,5

Example (first Carmichael number) N = 561. We might randomly select a = 101. –Then 560 = 2 4 ∙35, so u=35, t=4 –a u   560 (mod 561) which is -1 (mod 561) (we can stop here) –a 2u   1 (mod 561) –…–… –a 16u   1 (mod 561) –So 101 is not a witness that 561 is composite (we say that 101 is a liar for 561, if indeed 561 is composite) Try a = 83 –a u   230 (mod 561) –a 2u   166 (mod 561) –a 4u   67 (mod 561) –a 8u   1 (mod 561) –So 83 is a witness that 561 is composite, because 67 is a non- trivial square root of 1 (mod 561). Q6

Lemma: Modular Square Roots of 1 If s is neither 1 or -1 (mod N), but s 2  1 (mod N), then N is not prime Proof (by contrapositive): –Suppose that N is prime and s 2  1 (mod N) – s 2 -1  0 (mod N) [subtract 1 from both sides] – (s - 1) (s + 1)  0 (mod N) [factor] – So N divides (s - 1) (s + 1) [def of congruence] –Since N is prime, N divides (s - 1) or N divides (s + 1) [def of prime] –S is congruent to either 1 or -1 (mod N) [def of congruence] This proves the lemma, which validates the Miller-Rabin test Q7

Accuracy of the Primality Test Rabin* showed that if N is composite, this test will demonstrate its non-primality for at least ¾ of the numbers a that are in the range 1…N-1, even if a is a Carmichael number. Note that 3/4 is the worst case; randomly-chosen composite numbers have a much higher percentage of witnesses to their non-primeness. If we test several values of a, we have a very low chance of flagging a composite number as prime. *Journal of Number Theory 12 (1980) no. 1, pp

Efficiency of the Test Testing an n-bit number is Ѳ(n 3 ) If we use the fastest-known integer multiplication techniques (based on Fast Fourier Transforms), this can be pushed to Ѳ(n 2 * log n * log log n)

Testing "small" numbers From Wikipedia article on the Miller-Rabin primality test: When the number N we want to test is small, smaller fixed sets of potential witnesses are known to suffice. For example, Jaeschke* has verified that –if N < 9,080,191, it is sufficient to test a = 31 and 73 –if N < 4,759,123,141, it is sufficient to test a = 2, 7, and 61 –if N < 2,152,302,898,747, it is sufficient to test a = 2, 3, 5, 7, 11 –if N < 3,474,749,660,383, it is sufficient to test a = 2, 3, 5, 7, 11, 13 –if N < 341,550,071,728,321, it is sufficient to test a = 2, 3, 5, 7, 11, 13, 17 * Gerhard Jaeschke, “On strong pseudoprimes to several bases”, Mathematics of Computation 61 (1993)

Generating Random Primes For cryptography, we want to be able to quickly generate random prime numbers with a large number of bits Are prime numbers abundant among all integers? Fortunately, yes Lagrange's prime number theorem –Let  (N) be the number of primes that are ≤ N, then  (N) ≈ N / ln N. – Thus the probability that an n-bit number is prime is approximately (2 n / ln (2 n ) )/ 2 n ≈ 1.44/ n Q8

Random Prime Algorithm To generate a random n-bit prime: –Pick a random n-bit number N –Run a primality test on N –If it passes, output N –Else repeat the process –Expected number of iterations is Ѳ(n) Q9-11